"Use the cloud IaaS provider’s native security capabilities…to automate security controls throughout the application life cycle."
Cloudvisory has developed a Contextual approach to micro-segmentation to stop cyber-attacks in public and private cloud environments. Unlike existing solutions that are based on virtualized firewall technologies, Linux iptables, Windows firewalls and network overlays, Cloudvisory leverages the Provider’s existing cloud-native security controls to enforce workload micro-segmentation. Using cloud-native APIs for infrastructure and data flow discovery, greatly accelerates deployment and eliminates the overhead associated with managing agents of competing solutions.
"Micro‑segment by default. As a best practice, all security policies should be applied based on tags and memberships."
The Benefits of Cloud-Native Controls
Public and Private Cloud environments have powerful security controls embedded in their infrastructure. When configured correctly, these native security controls provide the strongest support to protect dynamic applications and micro-services running in the cloud. Legacy security controls are static, difficult to scale, complex to configure, and were not designed for cloud environments. These legacy tools cannot be retro-fitted to work smoothly in cloud environments. Due to the whitelisting nature of cloud infrastructures, legacy segmentation’s own controls will not work if cloud security controls are not configured accurately. CSP automatically provisions, secures, and monitors multiple cloud environments using enforcement controls that are native to each cloud provider.
Micro-segment by Default
CSP discovers existing workloads and their data flows across multiple cloud providers to automatically generate segmentation policies based on their Context. These policies are independent of physical or virtual infrastructures, and are automatically provisioned when new workloads are created by infrastructure orchestrators such as Chef, Ansible, Puppet, AWS CloudFormation, and others. Policies enabled with this granularity allow only necessary network connections in a workload or application, and block anything else. Policy rules are also updated dynamically as changes in the environment are detected.
The Importance of Contextual Segmentation
Policy segmentation is automatically determined based on the workload’s Context, which provides Business, DevOps and Security teams operational agility by removing the complexity of managing micro-segmentation rules in cloud security groups. Cloudvisory’s unique architecture imposes no limits on logical groups unlike legacy solutions which have limited context.
As the environment changes, spins up additional workloads, or reduces the number of workloads, CSP immediately calculates and provisions/de-provisions the required micro-segmentation policies based on workload Context. This results in highly consistent and immutable security across complex hybrid or multi-cloud environments.
With CSP, workload Context drives automatic micro-segmentation. A workload Context, and the corresponding segmentation policy is based on:
Continuous Discovery, Monitoring, and Compliance
Cloud environments are "black boxes," with management consoles not providing the required visibility to easily solve problems when they occur. Continuous discovery by CSP provides a visual map of the dynamic changes happening across multiple cloud providers. CSP continuously monitors cloud environments to enforce policy compliance and detect abnormal behavior within each workload. CSP also provides automatic remediation to keep the environment compliant and secure. This contextual map of workloads, applications and data flows enable DevOps teams to quickly identify non-compliant activities in the cloud. Policies are designed and implemented based on micro-segmentation, therefore, any compliance issue can be identified and fixed without affecting other workloads or data flows. The issue is isolated and fixed while the security and integrity of the cloud environment is maintained.